Rethinking security at work: it goes far beyond passwords

Organisations must use all the security tools available to them to protect their data and prevent falling victim to a breach.

Shares

With global giants such as Dixons, Carphone Warehouse and Ticketmaster all suffering serious data breaches in the past 12 months and Javelin Strategy & Research finding that more people than ever before have had their identities compromised, cyber security continues to be big news. These continued threats combined with the implementation of GDPR makes protecting and monitoring employee and business data a top priority.

Security was a major theme highlighted in Okta’s latest global Businesses @ Work report, which uses real-world, anonymised data from our customer network to shed light on trends driving deployment of cloud apps. The data clearly showed that organisations are no longer just adopting the best technologies, they’re securing them.

But given the ever-increasing number of cyber attacks, there’s still room for businesses to bolster every line of defense. Adopting new security technologies and maintaining both strong password hygiene and multi-factor authentication (MFA) policies are a few steps organisations should take to strengthen security against the threat of data breaches.

The following key findings identify the new threats businesses face today and provide tips on how to counter them.

Take advantage of new technologies

Organisations are now investing heavily in companies that have security tools or security use-cases like Jamf, KnowBe4, DigiCert, Cisco Umbrella, Mimecast, Sophos, and CloudFlare, all of which ranked in the top 15 fastest growing apps. Jamf, which provides software for managing and securing Apple devices, was the fastest growing app in our network with 389 per cent year-over-year growth. That growth not only indicates that employee demand is driving the adoption of Apple devices in the enterprise, but that IT departments are seeking out solutions that give employees the tools they want with the control that security and IT teams need.

Security awareness training company KnowBe4 grew 290 per cent in the past year, reflecting an increased focus on training employees around security best practices and methods to counter social engineering attacks. This shift in thinking can be directly linked to GDPR. As the deadline nears, security training is increasing as organisations become wary about GDPR’s implications. All employees – from junior to board level – must be held accountable for helping to identify and report potential data breaches and carry out the correct protocols to safeguard personal data. Security standards must be woven through a company’s culture rather than included as an add on.

Understand threat levels

Verizon’s 2017 Data Breach Investigations Report found that 81 percent of hacking related breaches are caused by compromised credentials — but what else do we know about attacks against identities? While China and Russia dominate the press headlines when it comes to data breaches and hacking, threats emanating from other areas of the world should not be overlooked. We may not hear about every one because more than 50 per cent of global attacks analysed do not have prior intel from the open source community, and of those attacks with no prior intel, 36 per cent are coming from Europe – of these, 19% are coming from France, 12% from the Netherlands, 11% from Russia, and 10% from Germany. As it’s easy for threat actors to make it appear as if threats are coming from somewhere else, these numbers may be skewed.

So, what does the threat landscape tell us? It's clear that both cloud and on-premises services are under attack, but credentials remain as a valuable prize for today's threat actors. And these attacks are not evenly distributed throughout the world. To better protect themselves, organisations should conduct their own security detection and monitoring, and leverage threat feeds from multiple sources. To make it more difficult for businesses, 23 percent of attacks come from Tor exit nodes, in other words, from the dark web. Tor helps mask cyber criminals in a shroud of anonymity, often making them immune from persecution. Unless your employees have a reason to leverage Tor or proxy anonymisers, you should block those IPs.

Improve password policies

To understand how to mitigate credential-based attacks, it’s important to understand what techniques hackers are employing. Three common tactics include: credential phishing, password spraying and brute force attacks. For credential phishing to work, all it takes is a single user to click a link and enter credentials to set a breach in motion. In a phishing attack, the attacker pretends to be a trusted user, website or organisation with the goal of tricking another user into sharing their credentials. Password spray attacks use common passwords (i.e. password123) and “spray” them across many domain accounts or domains using a cloud service, essentially playing a game of “guess and see”, with the hope of one working. Brute force attacks are similar to password spraying, but use a scripted computer algorithm to attempt to guess the password of a smaller set of users’ credentials.

There are different levels of sophistication when it comes to these threats, and businesses need to take multiple steps to mitigate them. Stronger password hygiene is one: simple analysis of comparing businesses’ password policies against a representative sample of publicly exposed passwords found that when given the option, users are not making the best choice when it comes to passwords. To bolster security, organisations should follow the National Institute of Standards and Technology (NIST) guidelines which suggest increasing complexity through length, recommending that passwords have a minimum of eight characters. Our calculations found that only 49.5 per cent of that representative password list used at least eight characters – which is why password policies should be implemented. Based on the maths alone, it would take a hacker 7,000 years to crack an eight character password – but of course, hackers employ other tactics to reduce this time to seconds.

As the hundreds of million of passwords that have been exposed in past breaches are available online, attackers are able to attempt to login with these previously used and common passwords across many accounts. Attackers are able to capitalise on bad habits like adding special characters at the end, including usernames, or adding uppercase characters at the beginning, and making just enough attempts to remain out of any lockout thresholds. Despite the increasing sophistication in password guessing algorithms, organisations can still minimise risks by enforcing rules that stop workers using common or breached passwords. While following the NIST guidelines to increase complexity and blocking out common or breached passwords can make for stronger password hygiene, there’s no silver bullet when it comes to passwords – and in phishing attacks, where a user hands over their credentials by clicking on a link, the password strength doesn’t matter. So what else can organisations do?

Implement the right multi-factor authentication

Although better password hygiene is an important piece of the security puzzle, businesses should implement a second factor of authentication to ensure best protection. The good news is that MFA adoption continues to grow, with nearly 70 per cent of Okta customers offering three or more factor options to their users today (compared to 62 per cent last year).

Even so, just implementing a second factor is not enough. Although security questions and SMS provide more security than nothing at all, these are not the best options. Instead, businesses should introduce the more secure MFA factors, such as a Yubikey or Okta Verify. And companies should use internal, open source and if possible, commercial threat intel to properly monitor services and update authentication policies as needed to mitigate the latest threats.

Security will and should remain one of the most important business considerations in the year ahead. By adopting simple authentication processes and making wider use of the security technology available in the market, organisations will be in a far better position to maximise their chances of protecting data and stopping themselves becoming the next Dixons, Carphone Warehouse or Ticketmaster.